Home > Vulnerability Database > CVE-2024-12720

Mend.io Vulnerability Database

CVE-2024-12720

Good to know:

Date: March 20, 2025

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).

Severity Score

5.3

Related Resources (5)

Url: https://github.com/huggingface/transformers

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-12720

Url: https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf

Url: https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98

Url: https://www.mend.io/vulnerability-database/CVE-2024-12720

Severity Score

5.3

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version transformers - 4.48.0;transformers - 4.48.0;transformers - 4.48.0;https://github.com/huggingface/transformers.git - v4.48.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-12720

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?